How to protect from threats against USB enabled devices

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Reports have been circulating that e-cigarette chargers from China were corrupted and infected machines with malware. Many journalists took the story at face value, even though the only source was a single post on the subreddit r/talesfromtechsupport. As the story goes, an executive’s system was infected by malware. IT “scoured’ the system for answers and finally found out the only possible source was the executive’s e-cig charger. The device was made in China and the assumption was the malware was loaded intentionally onto the charger’s firmware.

The Chinese have become a popular punching bag since their economy is booming, their influence is growing and their cyber history is a wee bit sketchy.

Closer inspection (because stories need more than one source to be considered legit) showed there was certainly no widespread malware, and the single incident with the executive could not be confirmed.
This notion has been widely debunked, and while the idea of an e-cig charger carrying malware may be far-fetched, it is not impossible. Another thing to think about is that the very publicizing of such an attack method, whether true or false, surely has hackers across the globe trying to figure out how to do it.

Now that these rumors, now written as news stories, have been so thoroughly disproved, let’s examine the lesson this incident teaches. The most obvious one is that news stories should not be written based on one Reddit post citing an anonymous user, but perhaps the most important lesson is that whilst USB cigarette chargers are, so far safe, USB ports and USB devices will always be inherently dangerous.

USB and malware
USB can be an effective and simple route to infection. Take a thumb drive for example. It is child’s play to load malware on one and a disgruntled employee could easily do so to infect an organization for unfair treatment. There is also malware that specifically targets USB devices and can spread when they are plugged into other machines. A more common infection route may be the inadvertent installation of a virus onto the drive from already infected files, similar to when floppies spread viruses, then CDs and later on DVDs. The problem is that there is a wide range of USB devices which can harbor these kind of nasties – from USB hard drives to smartphones to even the seemingly innocent iPod.

There are a number of other ways USB devices can spread malware. In the case of the e-cig charger, the idea was that malware was installed on the firmware at the manufacturer in China. If this really happened, the USB charger would have spread malware to all the thousands that plugged it in and not just the one. USBs use one feature that makes them particularly effective spreaders of malware. Like CDs and DVDs with executables, USBs go through Windows AutoRun. The bad code could be activated before you even know it and many USB-specific bits of malware are designed to exploit that very same Windows feature.

BadUSB
IT pros got a USB scare last year with the release of BadUSB, a well-publicized proof-of-concept USB attack. BadUSB was actually written by the good guys, so-called white hat hackers, who wanted to prove what was possible and raise a warning flag. The exploit can modify USB firmware and turn it into a bit of a Manchurian Candidate, able to take control of machines it is plugged into. This technique conceivably could infect devices such as an e-cig charger.

The exploit can even work its evil magic on keyboards, mice, webcams, almost anything with a USB connector. Even worse, when this is done right, typical security defenses are of little help.

BadUSB follows on the heels of the older Stuxnet worm that was so crafty it even infected machines in a heavily fortified Iranian nuclear operation (even though that facility was air-gapped). Despite that total network isolation, all it took was one infected USB device! This nasty piece of malware, the Stuxnet rootkit, propagates via USB drives and works even when Windows 7 AutoRun and AutoPlay are disabled.

Before BadUSB came the notorious Conficker virus which wreaked some serious havoc. Two variations, B and C, were designed specifically to go after USB, and that was credited with their widespread proliferation. These two variants loaded malicious Dynamic Link Libraries (DLL) onto USB devices and relied on Windows AutoRun to install the malware. The city of Manchester in the UK was infected to the extent that the City Council incurred some GBP1.5 million in disruption and damage costs due to this USB-borne outbreak. Their response? No more USB drives allowed.

Beware, sometimes hackers will leave infected USB thumb drives in the hope they are picked up and plugged in out of curiosity or because they are free.

USB and data leaks
Many PCs these days, especially ultra-slim notebooks, have made away with CD/DVD drives. That may seem safer, but the USB port is still a data leak waiting to happen.

USBs can leak data in myriad ways. One is the seemingly innocent episode of a worker taking files home. These can be full of confidential financial and customer data and once they leave your business, they are gone for good and easy to pass around. One misplaced thumb drive, for instance, could be a treasure trove of corporate data.

Data leakage is the easiest way to have your confidential data compromised. A hacker needs to first get into your system, know where the data is, find a way to steal it, and then know what to do with it so that it will cause you harm. With USB, that same data can literally walk out the door. An employee who knows where the data is, how to get it and how to use it, can simply copy it to a USB storage device and off it goes. Thumb drives are now dirt-cheap and hold increasing large datasets. 256GB is a common standard these days – and sells for around $80 (US). Imagine the amounts of company information that can be stored in just one of them.

The answer to USB woes
USB devices fit the very definition of ubiquitous. For instance, thumb drives aren’t just cheap, they are often a popular free give away. Do you think you have a USB problem? Then you need tools and policies to fight it.

If you allow end users to have company files on personal devices, then there needs to be controls so this doesn’t create a data leakage problem you can’t control. Make sure you have a BYOD policy in place and make sure all files moved to USB devices and smartphones are encrypted.

Talking about policy, USB devices should be part of an end user security policy where you can decide either do nothing (not recommended), block them, or control their use (and GFI can help with that).
In the last two cases, IT have to be involved. One solution might be USB blocking tools – which are an effective but imperfect measure as savvy end users can still find ways to unblock them.

Besides just blindly blocking ports, look for ways to control the data and files that go in and out of USB devices. Blocking or control policies can be based on user type (maybe the CEO gets a pass), together with the file type and extension. Because these extensions can be spoofed, such as an executable masquerading as a .doc file, it would be nice to be able to filter and block based on the actual contents of the files.

One last quick tip; disable AutoRun on all Windows machines. A combination of vigilance, strong traditional defenses, a dash of new defenses, and USB policies can go far in keeping your network safe from thumb drive disasters.